Workspace ONE UEM utilizes ACC and the Credential Escrow Gateway feature to send encrypted skeleton profiles back and forth between the SMIME certificate and Workspace ONE UEM. Learn more about the requirements and architecture behind the Credential Escrow Gateway feature.

System Requirements

The following system requirements are recommended for supporting 100,000 devices in Credential Escrow Gateway.

Escrow Gateway

Up to 100,000 devices


System Requirements

CPU - 4 cores

Per 8,000 devices, up to a maximum of 32,000 devices (8 CPU/ 16 GB RAM) per application server.


16 GB

Escrow Gateway uses Redis as it's primary data store. Given Redis is an in-memory database, it is essential to allocate sufficient memory. By default, EG sets the upper bound on the total memory used by Redis to be 8 GB. The remaining memory allocation is available for use by other system processes and applications.

Disk Space

40 GB


*Continuous load of 40 requests per second.

*If you adhere to the recommendations in this table.

Required Network Configurations

Credential Escrow Gateway uses port 443 for inbound API requests from ACC and an outbound connection to send completed and encrypted profiles (skeleton profile from UEM hydrated with Customer uploaded SMIME certificate) back to WS1 UEM.

Source Component

Destination Component





HTTPS (inbound to AMCW)

2001 - OnPrem



HTTPS (inbound to AWCM)

443 - SaaS



HTTPS (in-bound to ACC)


Escrow Gateway

Workspace ONE UEM API

HTTPS (outbound from Escrow Gateway)


PKI/Certificate Authority

Escrow Gateway

Open Firewall

Escrow Gateway Architecture Diagram

The following diagram illustrates the Credential Escrow Gateway components and how those components work with your environment.